Skip to content

Commit

Permalink
address comments
Browse files Browse the repository at this point in the history
  • Loading branch information
MS-megliu authored and ancwrd1 committed Dec 13, 2024
1 parent 5c3a9fb commit c377b43
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 20 deletions.
3 changes: 0 additions & 3 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,7 @@ no-default-features = true

[dependencies]
rustls = { version = "0.23", default-features = false, features = ["std"] }
sha2 = "0.10"
windows-sys = { version = "0.59", features = ["Win32_Foundation", "Win32_Security_Cryptography"] }
aws-lc-rs = { version = "1", optional = true }

[dev-dependencies]
anyhow = "1"
Expand All @@ -29,7 +27,6 @@ rustls-pki-types = "1"
default = ["logging", "tls12", "aws-lc-rs"]
aws-lc-rs = ["rustls/aws_lc_rs"]
early-data = []
aws-lc-bindgen = ["aws-lc-rs/bindgen"]
fips = ["rustls/fips"]
logging = ["rustls/logging"]
ring = ["rustls/ring"]
Expand Down
14 changes: 4 additions & 10 deletions src/cert.rs
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ impl CertContext {
}

/// Return DER-encoded X.509 certificate chain.
/// (1) exclude the root. (2) check leaf cert to determin to use HKLM engine or HKCU engine
// (1) exclude the root. (2) check leaf cert to determine to use HKLM engine or HKCU engine
pub fn as_chain_der(&self) -> Result<Vec<Vec<u8>>> {
unsafe {
let param = CERT_CHAIN_PARA {
Expand Down Expand Up @@ -135,14 +135,9 @@ impl CertContext {
(*chain_ptr).cElement as usize,
);

let mut first = true;
for element in elements {
if first {
first = false;
} else {
if 0 != ((**element).TrustStatus.dwInfoStatus
& CERT_TRUST_IS_SELF_SIGNED)
{
for (index, element) in elements.iter().enumerate() {
if index != 0 {
if 0 != ((**element).TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) {
break;
}
}
Expand All @@ -153,7 +148,6 @@ impl CertContext {
}

CertFreeCertificateChain(&*context);

Ok(chain)
} else {
Err(CngError::from_win32_error())
Expand Down
2 changes: 1 addition & 1 deletion src/signer.rs
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ struct CngSigner {
}

impl CngSigner {
// new hash function using BCryptHash function which uses FIPS certified SymCrypt
// hash function using BCryptHash function which uses FIPS certified SymCrypt
fn hash(&self, message: &[u8]) -> Result<(Vec<u8>, SignaturePadding), Error> {
let (alg, padding) = match self.scheme {
SignatureScheme::RSA_PKCS1_SHA256 => {
Expand Down
12 changes: 6 additions & 6 deletions src/store.rs
Original file line number Diff line number Diff line change
Expand Up @@ -136,12 +136,12 @@ impl CertStore {
unsafe { self.do_find(CERT_FIND_HASH, &hash_blob as *const _ as _) }
}

/// On later OS releases, we added CERT_FIND_SHA256_HASH.
/// However, rustls-cng could be installed on earlier OS release where this FIND_SHA256 isn't present.
/// But the CERT_SHA256_HASH_PROP_ID is present.
/// So will need to add a new internal find function that gets and compares the SHA256 property.
/// Also, since SHA1 is being deprecated, Windows components should not use.
/// Therefore, the need to find via SHA256 instead of SHA1.
// On later OS releases, we added CERT_FIND_SHA256_HASH.
// However, rustls-cng could be installed on earlier OS release where this FIND_SHA256 isn't present.
// But the CERT_SHA256_HASH_PROP_ID is present.
// So will need to add a new internal find function that gets and compares the SHA256 property.
// Also, since SHA1 is being deprecated, Windows components should not use.
// Therefore, the need to find via SHA256 instead of SHA1.

/// Find list of certificates matching the SHA256 hash
pub fn find_by_sha256<D>(&self, hash: D) -> Result<Vec<CertContext>>
Expand Down

0 comments on commit c377b43

Please sign in to comment.